[S] Change in android-apdu-proxy[master]: OmapiCallbackHandlerVpcd: fix extration of DF-Name (AID) - gerrit-log

9 Jan 2026

dexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/android-apdu-proxy/+/41803?usp=email )
Change subject: OmapiCallbackHandlerVpcd: fix extration of DF-Name (AID)
......................................................................
OmapiCallbackHandlerVpcd: fix extration of DF-Name (AID)
When the DF-Name (AID) is extracted from the SELECT TPDU, the length
of the TPDU is not checked properly, which may lead to an exception
in case no DF-Name (AID) is supplied. Let's put proper length checks
in place to filter corner cases and to ensure that the DF-Name (AID)
is properly extracted in case it is supplied.
Related: OS#6836
Change-Id: Idf08d752d046e012680c872552960cc069272777
---
M app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
1 file changed, 24 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/android-apdu-proxy refs/changes/03/41803/1

diff --git a/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java b/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
index 57c5035..8f1d8c7 100644
--- a/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
+++ b/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
@@ -117,8 +117,31 @@
                 //AID is different, we close the OMAPI channel and re-open it with the new AID. If this fails, we
                 //we just pretend that we haven't found the file.
                 if (Arrays.equals(Arrays.copyOf(tpdu, 3), Utils.h2b("00A404"))) {
-                    byte[] aidReq = Arrays.copyOfRange(tpdu, 5, tpdu.length - 1);
                     int compareLength = 0;
+
+                    //Make sure that the Lc field of the TPDU does not exceed the TPDU length
+                    if (tpdu[4] > tpdu.length - 5) {
+                        Log.e("PROXY", String.format("SELECT by DF-Name with invalid length field, rejecting TPDU (%s)...\n",
+                            Utils.b2h(tpdu)));
+                        //see also ISO/IEC 7816-4, table 5 (wrong length; no further indication)
+                        return (Utils.h2b("6700"));
+                    }
+
+                    //Extract the DF-Name (AID) from the TPDU.
+                    byte[] aidReq;
+                    if (tpdu[4] > 0) {
+                        //The DF-Name (AID) does not have to represent a full AID, a shortened (right truncated) AID
+                        //is sufficient (see also ETSI TS 102 221, section 11.1.1.2).
+                        aidReq = Arrays.copyOfRange(tpdu, 5, tpdu[4] + 5);
+                    } else {
+                        //ETSI TS 102 221, section 11.1.1.2 vaguely indicates that the DF-Name (AID) may also be
+                        //left out entirely. GlobalPlatform Card Specification 2.1.1, section 9.9.2.3 is more
+                        //concrete. According to GlobalPlatform, the ISD shall be selected in case no DF-Name is
+                        //supplied. This is also coherent to Open Mobile API Specification – Public Review
+                        //v3.2.0.13, section 4.2.7.8.
+                        aidReq = new byte[0];
+                    }
+
                     if (omapiAid != null) {
                         if (aidReq.length < omapiAid.length)
                             compareLength = aidReq.length;
-- 
To view, visit https://gerrit.osmocom.org/c/android-apdu-proxy/+/41803?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: android-apdu-proxy
Gerrit-Branch: master
Gerrit-Change-Id: Idf08d752d046e012680c872552960cc069272777
Gerrit-Change-Number: 41803
Gerrit-PatchSet: 1
Gerrit-Owner: dexter pmaier@sysmocom.de



    